Techdirt. Stories filed under "clearance"Easily digestible tech news...https://www.techdirt.com/
en-usTechdirt. Stories filed under "clearance"https://ii.techdirt.com/s/t/i/td-88x31.gifhttps://www.techdirt.com/Tue, 31 Dec 2013 08:49:41 PSTNSA Admits Lots Of People Could Have Done What Snowden DidMike Masnickhttps://www.techdirt.com/articles/20131217/16522125593/nsa-admits-lots-people-could-have-done-what-snowden-did.shtml
https://www.techdirt.com/articles/20131217/16522125593/nsa-admits-lots-people-could-have-done-what-snowden-did.shtmlget the important stuff or not? Each time the story seems to be different. A few months ago, you may recall the NSA insisted that Snowden needed to borrow the identities of others to access the documents he had. They also argued that he must have bypassed or deleted log files. However, in an interview, the NSA's Director of Technology, Lonny Anderson, admits that basically anyone at the NSA with top secret clearance could all access the same stuff and also claims that all the log files were there:

contrary to much of what's been reported about Snowden's work at the NSA, it wasn't his position as a systems administrator and the broad access to networks and databases that came with it that allowed him to steal so many secrets. Rather, Anderson said, "the lion's share" of the information Snowden obtained was available to him because of his top-secret security clearance -- TS/SCI -- which allowed him to access so-called sensitive compartmented information.

That's an important distinction, because it means any number of the thousands of people at the NSA with the same clearance level could have done what Snowden did -- not just the smaller number of systems administrators, who have a kind of "super user" access that isn't granted to all other employees. That helps explain why Anderson couldn't tell the White House that there were no more Snowdens. Theoretically, there could have been thousands of them.

Of course, who knows if Anderson is telling the truth. Later in the interview he seems to contradict himself -- both claiming that Snowden's activities on the network were tracked ("He was not a ghost. It's not like he was so stealthy that we didn't see his activities") and that Snowden was able to get away with what he did because he was "anonymous" on the network.

"Where I think we were negligent -- if we were negligent -- where we were is that we allowed him some form of anonymity as he did that. Someone wasn't watching all of that. So the lesson learned for us is that you've got to remove anonymity from the network."

I guess it's possible that the actions were tracked without the identification of who it was. Amusingly, you could argue that the NSA had the metadata on Snowden's actions, but not the actual details of who he was. Oh, the irony.

The one area where Snowden's sysadmin role apparently did play a part was in being able to get many of those documents off the network without being noticed. Part of his job was, as revealed earlier, to move documents around within the NSA's network, but his sysadmin status allowed him to download those documents without any alarm bells going off.

What Snowden could do as a systems administrator, as opposed to an employee without those privileges, was to "exfiltrate," or remove data from the NSA networks, Anderson said. "That, a normal user would not have been able to do." He acknowledged that the NSA's information control regime is not currently designed to alert officials when documents are being removed by a systems administrator. That's going to change, Anderson said. In the future, individuals will also be locked out of the networks if they remove data without authorization.

At this point, it's difficult to believe anything that the NSA is saying about Snowden, because so much of it seems to contradict what the NSA itself has said in the past. Perhaps that's just part of the disinformation campaign. Or, perhaps it's a sign that the NSA still has no clue what happened.

Permalink | Comments | Email This Story
]]>the-changing-storyhttps://www.techdirt.com/comment_rss.php?sid=20131217/16522125593Fri, 6 Sep 2013 04:24:20 PDTWould You Trust Any Organization That Doesn't Trust 4,000 Of Its Employees? What If It's The NSA?Glyn Moodyhttps://www.techdirt.com/articles/20130905/11444824415/would-you-trust-any-organization-that-doesnt-trust-4000-its-employees-what-if-its-nsa.shtml
https://www.techdirt.com/articles/20130905/11444824415/would-you-trust-any-organization-that-doesnt-trust-4000-its-employees-what-if-its-nsa.shtml
It's becoming increasingly clear that one of the reasons Edward Snowden was able to access so much secret information -- and walk out of the door with it -- is that the NSA is an organizational mess. A fascinating post by David Ignatius in the Washington Post underlines another way in which the NSA is deeply dysfunctional by any normal standard:

the NSA planned to investigate at least 4,000 of its employees and contractors in 2013, thanks in part to new software that could detect "anomalous" behavior by the workforce.

He goes on to ask an extremely important question:

How do you run an organization where 4,000 of your employees are suspect? I fear that if the NSA tries to impose ever-more stringent controls, this will create even more disgruntled workers and a larger pool of anomalies. A new "Red Scare" may well follow the Snowden revelations, but making every employee a suspect is likely to backfire.

Even the most anodyne of organizations that can't fully trust 4000 of its employees is in big trouble; if it's one that handles some of the most sensitive information in the world, with the potential to save or cost many lives, that lack of trust is a recipe for disaster on a massive scale. And as Ignatius notes, the more the NSA tries to clamp down on people, the more likely it is to create further Edward Snowdens.

Ignatius also points out that the solution is not to close down, but to open up. By reducing drastically the number of things that are deemed secret in the first place, it would be possible to concentrate on protecting just those that really matter:

The beneficiaries in a no-secrets world will be relatively open societies, such as the United States, that are slowly developing a culture of accountability and disclosure for their intelligence agencies, however painful the process may be. The fewer secrets, the less to protect.

Although it's arguable to what extent the US has developed that "culture of accountability and disclosure" for the NSA yet, as President Obama inches towards admitting the scale of the problem here, the rest of the analysis in Ignatius' piece is well-worth reading.

Permalink | Comments | Email This Story
]]>something-wrong-herehttps://www.techdirt.com/comment_rss.php?sid=20130905/11444824415Tue, 3 Sep 2013 09:46:35 PDTFor An Intelligence Agency, The NSA Doesn't Seem To Have Much Idea What's Going On Inside Its Own WallsTim Cushinghttps://www.techdirt.com/articles/20130902/22075024386/intelligence-agency-nsa-doesnt-seem-to-have-much-idea-whats-going-inside-its-own-walls.shtml
https://www.techdirt.com/articles/20130902/22075024386/intelligence-agency-nsa-doesnt-seem-to-have-much-idea-whats-going-inside-its-own-walls.shtml
Better late than never, the NSA seems like it's finally getting around to fixing the problems on the inside of the agency.

So sharp is the fear of threats from within that last year the NSA planned to launch at least 4,000 probes of potentially suspicious or abnormal staff activity after scrutinizing trillions of employee keystrokes at work. The anomalous behavior that sent up red flags could include staffers downloading multiple documents or accessing classified databases they do not normally use for their work, said two people familiar with the software used to monitor employee activity.

Somebody's putting in some overtime! In addition to sifting through the vast amount of data collected in its many quasi-legal (and some completely illegal) programs, the agency has also had to wade through "trillions" of logged employee keystrokes. (The haystacks are coming from inside the house!)

This investigation has chewed up a lot of money with very little in the way of results, suffering from "critical delays" and (go figure) a lack of cohesive implementation. Meanwhile, a sysadmin headed to Hong Kong with an NSA-to-go kit. Not that a more expeditious rollout of the investigations would have mattered.

Contractors like Snowden, an NSA spokeswoman said, were not included in the plans to reinvestigate 4,000 security clearances.

The agency claims these investigations aren't in place to root out offenders (although it's certainly welcome to do so), but to "reduce the potential" of an insider compromise.

Well, whatever's been put into place so far has failed dramatically, and what's being pursued doesn't look very promising. The agency claims the first rollout was stunted by resources being diverted towards mitigating the fallout from Bradley Manning's leaks. Now, as the agency tries to reignite the investigative process, Snowden (and several media entities) are standing behind it, periodically blowing out the flame.

The NSA still seems to have no idea what exactly Snowden took and that lack of knowledge has forced it to play nothing but defense since the leaks began. The internal vetting process seems to be about as "efficient" as the external process, albeit for very different reasons. An agency that can't search its own email doesn't have a chance against an individual with access and determination.

I am completely croggled by the fact that the NSA apparently had absolutely no contingency plans for this sort of thing.

It doesn't, and that's a very worrying issue for a NATIONAL SECURITY AGENCY. At this point, the NSA can't close the barn doors fast enough and every assertion it makes about the limits, oversight or "trustworthiness" of its programs is usually undermined within a few days by yet another leak. Something aimed at nothing more than a "reduction" in leaky insiders just isn't going to be good enough. On the other hand, the public is benefiting from the NSA's pain -- it's now more informed about the agency's activities than it's been for the previous half-decade -- and the cumulative effects of the leak-and-denial cycle have forced the NSA to actually participate in a national discussion and make tentative steps towards transparency.

Permalink | Comments | Email This Story
]]>inside of a panopticon is the least secure areahttps://www.techdirt.com/comment_rss.php?sid=20130902/22075024386Wed, 10 Jul 2013 08:49:28 PDTContractors Providing Background Checks For NSA Caught Falsifying Reports, Interviewing The DeadTim Cushinghttps://www.techdirt.com/articles/20130709/11374023748/contractors-providing-background-checks-nsa-caught-falsifying-reports-interviewing-dead.shtml
https://www.techdirt.com/articles/20130709/11374023748/contractors-providing-background-checks-nsa-caught-falsifying-reports-interviewing-dead.shtml
The fallout from Ed Snowden's leaks has taken many forms, one of which is the NSA taking a long look at its contractors' hiring processes. Snowden claims to have taken the job solely to gathering damning info. This revelation, combined with some inconsistencies in his educational history, have placed the companies who perform background and credit checks under the microscope.

Anthony J. Domico, a former contractor hired to check the backgrounds of U.S. government workers, filed a 2006 report with the results of an investigation.

There was just one snag: A person he claimed to have interviewed had been dead for more than a decade. Domico, who had worked for contractors CACI International Inc. (CACI) and Systems Application & Technologies Inc., found himself the subject of a federal probe.

It's not as if Domico's case is an anomaly.

Domico is among 20 investigators who have pleaded guilty or have been convicted of falsifying such reports since 2006. Half of them worked for companies such as Altegrity Inc., which performed a background check on national-security contractor Edward Snowden. The cases may represent a fraction of the fabrications in a government vetting process with little oversight, according to lawmakers and U.S. watchdog officials.

Who watches the watchers' watchers? It appears as if that crucial link in the chain has been ignored. Give any number of people a job to do and, no matter how important that position is, a certain percentage will cut so many corners their cubicles will start resembling spheres.

These are the people entrusted to help ensure our nation's harvested data remains in safe hands, or at least, less abusive ones. Those defending the NSA claim this data is well-protected and surrounded by safeguards against abuse. Those claims were always a tad hollow, but this information shows them to be complete artifice. The NSA, along with several other government agencies, cannot positively say that they have taken the proper steps vetting their personnel.

USIS, the contractor who vetted Ed Snowden, openly admits there were "shortcomings" in its investigation of the whistleblower. Perhaps Snowden's background check was a little off, but overall, calling the USIS' problems "shortcomings" is an understatement.

Among the 10 background-check workers employed by contractors who have been convicted or pleaded guilty to falsifying records since 2006, eight of them had worked for USIS, according to the inspector general for the U.S. Office of Personnel Management. The personnel agency is responsible for about 90 percent of the government’s background checks.

In one case, Kayla M. Smith, a former investigative specialist for USIS, submitted some 1,600 falsified credit reports, according to the inspector general’s office.

Smith spent 18 months turning in these falsified reports, which accounted for a third of her total output. One might wonder how someone like Smith ends up working for a background check contractor. The answer? This problem isn't confined to one level.

[T]he investigator who had vetted Smith was convicted in a separate falsification case, Patrick McFarland, inspector general for the personnel office, said at a June 20 hearing held by two Senate panel.

Will it get better? USIS is already ceding market share to other contractors but it's impossible to say whether its competitors will be more trustworthy. McFarland says his office doesn't have enough funding to perform thorough probes, which indicates what's been caught so far is just skimming the surface. These agencies harvesting our data (and their defenders) all expect Americans (and others around the world) to simply trust them. Meanwhile, the reasons why we shouldn't continue to mount unabated.

A couple of senators are hoping their new piece of oversight legislation will fix the problem. It would provide McFarland's office with more investigation funding, but simply adding more "oversight" isn't going to make the problem go away. The NSA's mouthpieces continue to insist that everything it does is subject to tons and tons of "oversight," but that has done very little to improve its standing in the "trustworthy" department. There are systemic issues that need to be addressed, both in these agencies and the contractors they hire and expecting to paper over the cracks with a little legislation will only result in more revelations of wrongdoing, rather than fewer occurrences.

Permalink | Comments | Email This Story
]]>the-talking-deadhttps://www.techdirt.com/comment_rss.php?sid=20130709/11374023748Mon, 20 Feb 2012 16:04:38 PSTUniversal Music Album Recalled... For Infringing Content?Mike Masnickhttps://www.techdirt.com/articles/20120220/02311717803/universal-music-album-recalled-infringing-content.shtml
https://www.techdirt.com/articles/20120220/02311717803/universal-music-album-recalled-infringing-content.shtmltoo clueless to hire someone who understands technology (he has since moved on to lead Sony Music). Of course, we always discover that the most aggressive copyright maximalists are later caught infringing themselves... So it's not surprising to hear that the release of the album for Universal Music recording artist Tyga has run into some copyright problems. While the album had been sent to retailers and was available for pre-order on iTunes, it was yanked off iTunes, and a note was sent to retailers telling them to "pull and return" the album.

The issue? Apparently the title track, "Careless World," has some sound clips from a Martin Luther King speech... and no one bothered to clear it. Oops. Of course, many of us think that locking up MLK's works are a travesty, but his heirs have been incredibly aggressive over the years in claiming that they deserve to get paid for any attempts to honor MLK. Of course, if Universal Music wasn't such an extreme copyright maximalist we might have a bit of sympathy for their plight. But given that they've made this bed, there's a bit of irony in noting that they now have to lie in it.

Permalink | Comments | Email This Story
]]>seize-'em!https://www.techdirt.com/comment_rss.php?sid=20120220/02311717803Mon, 1 Feb 2010 09:38:00 PSTThe Ridiculousness Of Copyright Clearances: Fight Club Producers Had To Pay Off Marla Singer?Mike Masnickhttps://www.techdirt.com/articles/20100128/0220477961.shtml
https://www.techdirt.com/articles/20100128/0220477961.shtmlmake sure no "unauthorized" brands appear in a movie. The process of clearing every single right is mind-boggling, and appears to serve only one purpose: to transfer money from creators to lawyers. I'm reminded of the massive spreadsheet Brett Gaylor showed when he discussed his movie, and the process of trying to secure insurance for it. It went on and on and on and listed every single thing in the movie, and whether it was cleared or not. The more you learn about this stuff, the more ridiculous it seems.

Ry Jones writes in to let us know that he transcribed a part of the Fight Club Director's commentary by David Fincher, where he discusses the insanity of rights clearance for that movie. He mainly discusses two key points, both of which seem ridiculous. First, with the character of Marla Singer, they had to do a search and find out if there are real Marla Singers who might be upset and claim that the movie is about them. If there are lots of Marla Singers, no problem, since they can just say "hey, not you." But if there's one, then it becomes an issue. Guess what?

There's only one Marla Singer in the continental United States, in Illinois somewhere, of course, as soon as attorneys get involved, the whole thing gets completely fucked up. Somebody called her and told her there's this book, and we're making a movie based on this character that had her name. All of a sudden, her attorneys are calling and we have to pay this person off.

On top of that, they had wanted to base the movie in Wilmington, Delaware, which is where the book takes place. But, apparently, that would require all sorts of rights clearances as well, to the point that they weren't even able to show the Delaware state flag because it would require a new set of rights clearances. How does this make any sense at all? Unlike the Aboriginal flag of Australia, the state flag of Delaware certainly should not be covered by copyright, and it makes little sense that there would be any requirement at all for clearing the rights. If the book can take place in Wilmington, Delaware without rights clearances, why can't a movie?